Solved: Re: regex not working

reverse · ‎06-13-2019

not working in splunk.

Error in 'rex' command: Encountered the following error while compiling the regex '(?<v1>.+:\.+?\(.+?)\.+)': Regex: unmatched closing parenthesis

Vijeta · ‎06-13-2019

@reverse - A backslash seems to be misplaced in your expression. It should be '(?<v1>.+:\.+?\(.+?\).+)':

Vijeta · ‎06-13-2019

@reverse - A backslash seems to be misplaced in your expression. It should be '(?<v1>.+:\.+?\(.+?\).+)':

jazzypai · ‎06-13-2019

Try out the following as for regex101.com

(?<drive>\w)\:\\(?<first>[\w]+)\\(?<second>[\w]+)\\(?<third>[\w]+)\\(?<filename>[\d\w\.]+)

Try this out in splunk;

 | rex field=string "(?<drive>\w)\:\\\(?<first>[\w]+)\\\(?<second>[\w]+)\\\(?<third>[\w]+)\\\(?<filename>[\d\w\.]+)"

This will parse the entire path that you listed.

saurabhkharkar · ‎06-13-2019

what are you trying to parse ?

reverse · ‎06-13-2019

I want to extract DEF.

reverse · ‎06-13-2019

jazzypai · ‎06-13-2019

Do you want to extract DEF or do you want to extract the name of the second directory, where DEF is located?

reverse · ‎06-13-2019

name of the second directory

saurabhkharkar · ‎06-13-2019

| makeresults
| eval string ="c:\ABC\DEF\LOGS\1.LOG"
| rex field=string ".*?\\\\\w+\\\(?<extract_attribute>\w+).+"
| table string extract_attribute

regex not working